May 05, 2015
Mobile devices play a crucial role in day-to-day life. With the increasing popularity of BYOD within the workplace, smartphones and tablets are handling a growing amount of sensitive data. In order to prevent your mobile applications from jeopardising this data, it’s essential that developers recognise the most common security mistakes made during mobile application development.
1) No Data Encryption
Data-in-motion security should be one of the biggest priorities of any mobile developer – but a surprising amount of mobile applications end-up as finished products without any form of encryption.Mobile apps repeatedly pass sensitive data between the application and the server. This potential weak point is one of the first areas exploited by hackers, and apps that use weak encryption protocols regularly fall victim to their attacks.To prevent the theft of user data, it’s essential to include some form of properly implemented encryption, like SSL (Secure Sockets Layer) protocol. Some form of encryption should be applied to data at all stages – both in-rest and in-motion.
2) Failing to Sanitise User Input
SQL injection and Cross-Site Scripting (XSS) are two of the most common and potentially damaging security vulnerabilities around. Repeatedly referenced in the OWASP Top 10 list of mobile application threats, they post a serious problem for mobile applications.SQL injection in particular makes it easy for malicious attackers to steal, modify or delete sensitive data from within your application’s database. With potentially catastrophic outcomes, it’s vital that all input fields are properly programmed, and all forms of user input are properly sanitised and validated (both client-side and server-side). This approach should also be backed-up by automated application testing, to ensure that your application isn’t vulnerable to this type of attack.
3) Letting Users Choose Weak Passwords
Poor password security is one of the most common causes of security breaches – despite being relatively easy to remedy. Despite the fact that the vast majority of an application’s end-users will have poor security habits, it’s at least possible to use your application to encourage the selection of relatively secure passwords.Your mobile app should ask its users to choose strong alphanumeric passwords, of at least 8 characters. Whilst these passwords can be random strings of characters, it’s often better to ask users to choose a long string of memorable (albeit unrelated) words. A password like applepositiondinosaurnowseven will be both stronger and easier to remember than a password like je5%d3Ps.
4) Storing Passwords in Clear Text
Once your user has chosen a secure password, it’s essential for your application to store it in a secure way.Many developers choose to store user authentication credentials in clear text format. In the event of the database being breached, the malicious attackers will gain immediate access to usernames and passwords. To add an extra layer of security to this type of valuable data, it’s vital to store passwords and login credentials in an encrypted format within your database.
5) Trusting Third-Party Code
Like most forms of development, mobile application development often uses elements of third-party code – whether open source or your own team’s proprietary code. Any form of third-party code brings with it its own set of risks; making it extremely hard for developers to assess the security vulnerabilities of the code they’re building into an application.Third-party code plays a hugely important role in mobile application development, so it isn’t feasible to simply abandon the practice. Instead, it’s a great idea to read-up on the guidance surrounding the use of third-party code – especially resources from the Trustworthy Software Initiative.
6) Storing Data in the Device Memory
One of the more common mobile security mistakes is the storing of crucial data in the device memory. User information, encryption keys and even payment details are often stored locally – presenting a real problem if the device falls into the wrong hands.This problem is worsened if the local storage environment is shared by other mobile applications. Each application offers another way for an attacker to gain entry to the device memory. If an attacker exploits a loophole in one application, they’ll still gain access to the secure information stored by your app.It’s better to avoid storing any form of data locally, and instead access data only when the user logs into the app, before erasing it on logout.